Home/ Questions/Q 8013027
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T19:31:00+00:00

I’m implementing a web application using ASP.NET MVC and the Entity Framework using the

  • 0

I’m implementing a web application using ASP.NET MVC and the Entity Framework using the Repository pattern for data access. This application will have several unrelated users creating objects. Each user should have access only to their own objects.

Are there any patterns, or in-built EF functionality, that provide a method for ensuring that a user has access only to their own records?

I’m currently thinking of adding an owner field to all private domain objects and implementing a class that all queries to the DB must pass through. This class will determine if the domain object being queried is private. If so, this class will append a filter on owner to the query. Does this sound reasonable?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The second part of your question is very close to the description of the Repository Pattern. This approach can be used to address the record-by-record access issue by forcing insertions of user-specific filters.

    This approach decouples your client business logic from the implementation of row-based security: if you later decide to change the way that you implement your record-by-record access, all you need to modify is your repository implementation. The clients will not even need to recompile.

    EF defines a repository for all your business entities as a partial class. You can add an interface on top of it (in a separate file), and implement the methods of your repository using EF-generated methods:

    IMyRepository {
    IQueryable<ClientOrder> Orders;
    IQueryable<ServiceIssue> Issues;
}

// The other part of MyRepository is EF-generated.
// Assume that EF provides properties these properties:
// - ObjectSet<ClientOrder> AllOrders 
// - ObjectSet<ServiceIssue> AllIssues 
public partial SecureRepository : IMyRepository {
    private readonly Guid userId;
    public SecureRepository(Guid userId) : this() {
        this.userId = userId;
    }
    public IQueryable<ClientOrder> Orders {
        get {
            return AllOrders.Where(ord => ord.UserId == userId);
        }
    }
    public IQueryable<ServiceIssue> Issues {
        get {
            return AllIssues.Where(csi => csi.UserId == userId);
        }
    }
}

    You can add methods for writing that would set UserId on orders and issues before saving them to the database.

    • 0